Site-to-Site IPSec with certificate chain help

Jester · September 18, 2023, 5:52pm

Hi, Im wonering if you can help me. Im currently x509 certification with Site-to-site IPSec tunnels. I’ve been following this guide:

Eveything works great if I use R1 as the CA. It continues to work fine if I use a 3rd router as the CA to generate certs for R1 and R2. What I can’t get working is adding an intermediary to generate the router certs.

The tunnels consistently fail to build with the log error message of no trusted RSA public key found for …

Has anyone had experence of buiding site-to-site tunnels using certificate chains as I’m probaly missing something simple.

Thanks

a.srividya · September 20, 2023, 2:22pm

Created a task for this:

https://vyos.dev/T5606

Jester · September 20, 2023, 4:08pm

Thanks for raising this. It alligns with my findings.

If anyone else is having the problem the workaround I have found is to create additional ‘fake peers’. By referencing the missing certificates in these fake peers and setting them to connection-type: none the certificates get added to the correct folder without creating any failed IPSec connections. The certificates then persist after a reboot.